mirror of https://github.com/BOINC/boinc.git
514 lines
15 KiB
C++
514 lines
15 KiB
C++
// Berkeley Open Infrastructure for Network Computing
|
|
// http://boinc.berkeley.edu
|
|
// Copyright (C) 2005 University of California
|
|
//
|
|
// This is free software; you can redistribute it and/or
|
|
// modify it under the terms of the GNU Lesser General Public
|
|
// License as published by the Free Software Foundation;
|
|
// either version 2.1 of the License, or (at your option) any later version.
|
|
//
|
|
// This software is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
// See the GNU Lesser General Public License for more details.
|
|
//
|
|
// To view the GNU Lesser General Public License visit
|
|
// http://www.gnu.org/copyleft/lesser.html
|
|
// or write to the Free Software Foundation, Inc.,
|
|
// 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
//
|
|
|
|
#include "stdafx.h"
|
|
#include "boinccas.h"
|
|
#include "CACreateBOINCGroups.h"
|
|
#include "lsaprivs.h"
|
|
|
|
|
|
#define CUSTOMACTION_NAME _T("CACreateBOINCGroups")
|
|
#define CUSTOMACTION_PROGRESSTITLE _T("Validating user groups used by BOINC for secure sandboxes")
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
CACreateBOINCGroups::CACreateBOINCGroups(MSIHANDLE hMSIHandle) :
|
|
BOINCCABase(hMSIHandle, CUSTOMACTION_NAME, CUSTOMACTION_PROGRESSTITLE)
|
|
{}
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
CACreateBOINCGroups::~CACreateBOINCGroups()
|
|
{
|
|
BOINCCABase::~BOINCCABase();
|
|
}
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
UINT CACreateBOINCGroups::OnExecution()
|
|
{
|
|
NET_API_STATUS nasReturnValue;
|
|
DWORD dwParameterError;
|
|
UINT uiReturnValue;
|
|
BOOL bBOINCAdminsCreated = FALSE;
|
|
BOOL bBOINCUsersCreated = FALSE;
|
|
BOOL bBOINCProjectsCreated = FALSE;
|
|
tstring strUserSID;
|
|
tstring strUsersGroupName;
|
|
tstring strBOINCMasterAccountUsername;
|
|
tstring strBOINCProjectAccountUsername;
|
|
tstring strEnableProtectedApplicationExecution;
|
|
PSID pAdminSID = NULL;
|
|
PSID pInstallingUserSID = NULL;
|
|
PSID pBOINCMasterSID = NULL;
|
|
PSID pBOINCProjectSID = NULL;
|
|
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
|
|
|
|
|
|
uiReturnValue = GetProperty( _T("UserSID"), strUserSID );
|
|
if ( uiReturnValue ) return uiReturnValue;
|
|
|
|
uiReturnValue = GetProperty( _T("GROUPALIAS_USERS"), strUsersGroupName );
|
|
if ( uiReturnValue ) return uiReturnValue;
|
|
|
|
uiReturnValue = GetProperty( _T("BOINC_MASTER_USERNAME"), strBOINCMasterAccountUsername );
|
|
if ( uiReturnValue ) return uiReturnValue;
|
|
|
|
uiReturnValue = GetProperty( _T("BOINC_PROJECT_USERNAME"), strBOINCProjectAccountUsername );
|
|
if ( uiReturnValue ) return uiReturnValue;
|
|
|
|
uiReturnValue = GetProperty( _T("ENABLEPROTECTEDAPPLICATIONEXECUTION3"), strEnableProtectedApplicationExecution );
|
|
if ( uiReturnValue ) return uiReturnValue;
|
|
|
|
|
|
// Create a SID for the BUILTIN\Administrators group.
|
|
if(!AllocateAndInitializeSid(
|
|
&SIDAuthNT, 2,
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_ADMINS,
|
|
0, 0, 0, 0, 0, 0,
|
|
&pAdminSID))
|
|
{
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
GetLastError(),
|
|
_T("AllocateAndInitializeSid Error for BUILTIN\\Administrators")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
// Create a SID for the current logged in user.
|
|
if(!ConvertStringSidToSid(strUserSID.c_str(), &pInstallingUserSID))
|
|
{
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
GetLastError(),
|
|
_T("ConvertStringSidToSid Error for installing user")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
// Create a SID for the 'boinc_master' user account.
|
|
if (_T("1") == strEnableProtectedApplicationExecution) {
|
|
|
|
if(!GetAccountSid(NULL, strBOINCMasterAccountUsername.c_str(), &pBOINCMasterSID))
|
|
{
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
GetLastError(),
|
|
_T("GetAccountSid Error for 'boinc_master' user account")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
}
|
|
|
|
// Create a SID for the 'boinc_project' user account.
|
|
if (_T("1") == strEnableProtectedApplicationExecution) {
|
|
|
|
if(!GetAccountSid(NULL, strBOINCProjectAccountUsername.c_str(), &pBOINCProjectSID))
|
|
{
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
GetLastError(),
|
|
_T("GetAccountSid Error for 'boinc_master' user account")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
// Create the 'boinc_admins' group if needed
|
|
//
|
|
LOCALGROUP_INFO_1 lgrpiAdmins;
|
|
|
|
lgrpiAdmins.lgrpi1_name = _T("boinc_admins");
|
|
lgrpiAdmins.lgrpi1_comment = _T("Accounts in this group can control the BOINC client.");
|
|
|
|
nasReturnValue = NetLocalGroupAdd(
|
|
NULL,
|
|
1,
|
|
(LPBYTE)&lgrpiAdmins,
|
|
&dwParameterError
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAdd retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to create the 'boinc_admins' group.")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
if (NERR_Success == nasReturnValue) {
|
|
bBOINCAdminsCreated = TRUE;
|
|
}
|
|
|
|
// If we just created the 'boinc_admins' local group then we need to populate
|
|
// it with the default accounts.
|
|
LOCALGROUP_MEMBERS_INFO_0 lgrmiAdmins;
|
|
lgrmiAdmins.lgrmi0_sid = pAdminSID;
|
|
|
|
nasReturnValue = NetLocalGroupAddMembers(
|
|
NULL,
|
|
_T("boinc_admins"),
|
|
0,
|
|
(LPBYTE)&lgrmiAdmins,
|
|
1
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAddMembers retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to add user to the 'boinc_admins' group (Administrator).")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
lgrmiAdmins.lgrmi0_sid = pInstallingUserSID;
|
|
|
|
nasReturnValue = NetLocalGroupAddMembers(
|
|
NULL,
|
|
_T("boinc_admins"),
|
|
0,
|
|
(LPBYTE)&lgrmiAdmins,
|
|
1
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAddMembers retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to add user to the 'boinc_admins' group (Installing User).")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
if (_T("1") == strEnableProtectedApplicationExecution) {
|
|
|
|
lgrmiAdmins.lgrmi0_sid = pBOINCMasterSID;
|
|
|
|
nasReturnValue = NetLocalGroupAddMembers(
|
|
NULL,
|
|
_T("boinc_admins"),
|
|
0,
|
|
(LPBYTE)&lgrmiAdmins,
|
|
1
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAddMembers retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to add user to the 'boinc_admins' group (BOINC Master).")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
// Create the 'boinc_users' group if needed
|
|
//
|
|
LOCALGROUP_INFO_1 lgrpiUsers;
|
|
|
|
lgrpiUsers.lgrpi1_name = _T("boinc_users");
|
|
lgrpiUsers.lgrpi1_comment = _T("Accounts in this group can monitor the BOINC client.");
|
|
|
|
nasReturnValue = NetLocalGroupAdd(
|
|
NULL,
|
|
1,
|
|
(LPBYTE)&lgrpiUsers,
|
|
&dwParameterError
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAdd retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to create the 'boinc_users' group.")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
if (NERR_Success == nasReturnValue) {
|
|
bBOINCUsersCreated = TRUE;
|
|
}
|
|
|
|
|
|
// Create the 'boinc_project' group if needed
|
|
//
|
|
LOCALGROUP_INFO_1 lgrpiProjects;
|
|
|
|
lgrpiProjects.lgrpi1_name = _T("boinc_projects");
|
|
lgrpiProjects.lgrpi1_comment = _T("Accounts in this group are used to execute boinc applications.");
|
|
|
|
nasReturnValue = NetLocalGroupAdd(
|
|
NULL,
|
|
1,
|
|
(LPBYTE)&lgrpiProjects,
|
|
&dwParameterError
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAdd retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to create the 'boinc_projects' group.")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
if (NERR_Success == nasReturnValue) {
|
|
bBOINCProjectsCreated = TRUE;
|
|
}
|
|
|
|
// If the user has enabled protected application execution then we need to add the 'boinc_project'
|
|
// account to the local group and the 'Users' local group. As an aside 'boinc_master' is also added
|
|
// to the 'Users' group.
|
|
if (_T("1") == strEnableProtectedApplicationExecution) {
|
|
|
|
LOCALGROUP_MEMBERS_INFO_0 lgrmiMembers;
|
|
|
|
lgrmiMembers.lgrmi0_sid = pBOINCProjectSID;
|
|
|
|
nasReturnValue = NetLocalGroupAddMembers(
|
|
NULL,
|
|
_T("boinc_projects"),
|
|
0,
|
|
(LPBYTE)&lgrmiMembers,
|
|
1
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAddMembers retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to add user to the 'boinc_projects' group (boinc_project).")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
nasReturnValue = NetLocalGroupAddMembers(
|
|
NULL,
|
|
strUsersGroupName.c_str(),
|
|
0,
|
|
(LPBYTE)&lgrmiMembers,
|
|
1
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAddMembers retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to add user to the 'Users' group (boinc_project).")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
|
|
lgrmiMembers.lgrmi0_sid = pBOINCMasterSID;
|
|
|
|
nasReturnValue = NetLocalGroupAddMembers(
|
|
NULL,
|
|
strUsersGroupName.c_str(),
|
|
0,
|
|
(LPBYTE)&lgrmiMembers,
|
|
1
|
|
);
|
|
|
|
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
|
|
LogMessage(
|
|
INSTALLMESSAGE_INFO,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("NetLocalGroupAddMembers retval")
|
|
);
|
|
LogMessage(
|
|
INSTALLMESSAGE_ERROR,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
nasReturnValue,
|
|
_T("Failed to add user to the 'Users' group (boinc_master).")
|
|
);
|
|
return ERROR_INSTALL_FAILURE;
|
|
}
|
|
}
|
|
|
|
SetProperty( _T("BOINC_ADMINS_GROUPNAME"), _T("boinc_admins") );
|
|
SetProperty( _T("BOINC_USERS_GROUPNAME"), _T("boinc_users") );
|
|
SetProperty( _T("BOINC_PROJECTS_GROUPNAME"), _T("boinc_projects") );
|
|
|
|
if (bBOINCAdminsCreated || bBOINCUsersCreated || bBOINCProjectsCreated) {
|
|
RebootWhenFinished();
|
|
}
|
|
|
|
if(pAdminSID != NULL) FreeSid(pAdminSID);
|
|
if(pInstallingUserSID != NULL) FreeSid(pInstallingUserSID);
|
|
if(pBOINCMasterSID != NULL) FreeSid(pBOINCMasterSID);
|
|
if(pBOINCProjectSID != NULL) FreeSid(pBOINCProjectSID);
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Function: CreateBOINCGroups
|
|
//
|
|
// Description: This custom action creates the three user groups that'll
|
|
// be used to enforce the account based sandboxing scheme
|
|
// on Windows.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
UINT __stdcall CreateBOINCGroups(MSIHANDLE hInstall)
|
|
{
|
|
UINT uiReturnValue = 0;
|
|
|
|
CACreateBOINCGroups* pCA = new CACreateBOINCGroups(hInstall);
|
|
uiReturnValue = pCA->Execute();
|
|
delete pCA;
|
|
|
|
return uiReturnValue;
|
|
}
|